Add basic sendmail TLS configuration by default (#1607314 #c11)

2018-07-23 23:32:56 +02:00 · 2018-07-23 23:32:56 +02:00 · ebce447fcd
commit ebce447fcd
parent 9a6798d79e
2 changed files with 31 additions and 10 deletions
--- a/sendmail-redhat.mc
+++ b/sendmail-redhat.mc
@ -56,15 +56,14 @@ dnl #
 dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
 dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
 dnl #
-dnl # Rudimentary information on creating certificates for sendmail TLS:
+dnl # Basic sendmail TLS configuration with self-signed certificate for
-dnl #     cd /etc/pki/tls/certs; make sendmail.pem
+dnl # inbound SMTP (and also opportunistic TLS for outbound SMTP).
 dnl # Complete usage:
 dnl #     make -C /etc/pki/tls/certs usage
 dnl #
-dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
+define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
-dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
+define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
-dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
-dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confSERVER_KEY', `/etc/pki/tls/private/sendmail.key')dnl
 define(`confTLS_SRV_OPTIONS', `V')dnl
 dnl #
 dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
 dnl # slapd, which requires the file to be readble by group ldap
--- a/sendmail.spec
+++ b/sendmail.spec
@ -10,6 +10,8 @@
 %global smshell /sbin/nologin
 %global spooldir %{_localstatedir}/spool
 %global maildir %{_sysconfdir}/mail
 %global sslcert %{_sysconfdir}/pki/tls/certs/sendmail.pem
 %global sslkey %{_sysconfdir}/pki/tls/private/sendmail.key
 # hardened build if not overridden
 %{!?_hardened_build:%global _hardened_build 1}
@ -17,7 +19,7 @@
 Summary: A widely used Mail Transport Agent (MTA)
 Name: sendmail
 Version: 8.15.2
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: Sendmail
 Group: System Environment/Daemons
 URL: http://www.sendmail.org/
@ -102,7 +104,7 @@ BuildRequires: m4
 BuildRequires: systemd
 BuildRequires: gcc
 Provides: MTA smtpdaemon server(smtp)
-Requires(post): systemd systemd-sysv coreutils %{_sbindir}/alternatives
+Requires(post): systemd systemd-sysv coreutils %{_sbindir}/alternatives %{_bindir}/openssl
 Requires(preun): systemd %{_sbindir}/alternatives
 Requires(postun): systemd coreutils %{_sbindir}/alternatives
 Requires(pre): shadow-utils
@ -571,6 +573,23 @@ if [ ! -f %{spooldir}/clientmqueue/sm-client.st ]; then
 	chmod 0660 %{spooldir}/clientmqueue/sm-client.st
 fi
 # Create self-signed SSL certificate
 if [ ! -f %{sslkey} ]; then
  umask 077
  %{_bindir}/openssl genrsa 4096 > %{sslkey} 2> /dev/null
 fi
 if [ ! -f %{sslcert} ]; then
  FQDN=`hostname`
  if [ "x${FQDN}" = "x" ]; then
    FQDN=localhost.localdomain
  fi
  %{_bindir}/openssl req -new -key %{sslkey} -x509 -sha256 -days 365 -set_serial $RANDOM -out %{sslcert} \
    -subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}"
  chmod 644 %{sslcert}
 fi
 exit 0
 %preun
@ -730,6 +749,9 @@ fi
 %endif
 %changelog
 * Mon Jul 23 2018 Robert Scheck <robert@fedoraproject.org> - 8.15.2-29
 - Add basic sendmail TLS configuration by default (#1607314 #c11)
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.2-28
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild